Chrome 53 arrives with new developer features

Google today launched Chrome 53 for Windows, Mac, and Linux. This release is mainly focused on developers, but there’s no reason for anyone to hold off on updating. You can update to the latest version now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Chrome is arguably more than a browser: With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

Chrome 53 also brings Google’s Material Design mantra, first introduced at the company’s I/O conference in June 2014, to Windows. Chrome for iOS got Material Design back in January 2015 with version 40 and Chrome for Mac received Material Design last month in version 52.

Chrome 53 supports Shadow DOM V1, which allows an element to encapsulate its style and child DOM away from the main document. This is useful when trying to maintain large code bases of HTML, CSS, and JavaScript. Chrome will support V0 of the API until enough developers have moved to V1.

Other developer features in this release include:

• Sites that send notifications to Android devices running Android 6.0 (Marshmallow) or later may now provide a badge to show in the status bar in place of the Chrome logo.
• Notification objects now provide getters for reading the notification action buttons and vibration pattern.
• Cross-origin plugin content smaller than 5×5 pixels no longer loads for users that have set “Detect and run important plugin content.”
• The allow-presentation sandbox flag allows sites to control whether an iframe can present to external devices.
• Pattern attribute values on input elements now use the unicode flag, improving syntax checking and other regular expression ergonomics.
• 3D-positioned elements will be flattened if an ancestor has opacity less than 1.
• To prevent visual artifacts, all content will be re-rastered when its transform scale changes, unless it has the will-change: transform CSS property.
• Low-pass and high-pass biquad filters now support more filter characteristics.
• –webkit-filter is now an alias for the unprefixed filter property and will behave identically, instead of having separate behaviors.
• –webkit-user-select now supports an all property which forces a selection to contain an entire element and all its descendants.
• The Web Bluetooth API is available experimentally on some platforms, as an origin trial, allowing sites to communicate with nearby devices using the Bluetooth Generic Attribute Profile (GATT).
• The text-size-adjust property allows sites to control whether font size automatically scales on mobile devices.

Chrome 53 also includes 33 security fixes, of which Google chose to highlight the following:

• [$7500][628942] High CVE-2016-5147: Universal XSS in Blink. Credit to anonymous
• [$7500][621362] High CVE-2016-5148: Universal XSS in Blink. Credit to anonymous
• [$7500][573131] High CVE-2016-5149: Script injection in extensions. Credit to Max Justicz  (http://web.mit.edu/maxj/www/)
• [$5000][637963] High CVE-2016-5150: Use after free in Blink. Credit to anonymous
• [$5000][634716] High CVE-2016-5151: Use after free in PDFium. Credit to anonymous
• [$5000][629919] High CVE-2016-5152: Heap overflow in PDFium. Credit to GiWan Go of Stealien
• [$3500][631052] High CVE-2016-5153: Use after destruction in Blink. Credit to Atte Kettunen of OUSPG
• [$3000][633002] High CVE-2016-5154: Heap overflow in PDFium. Credit to anonymous
• [$3000][630662] High CVE-2016-5155: Address bar spoofing. Credit to anonymous
• [$3000][625404] High CVE-2016-5156: Use after free in event bindings. Credit to jinmo123
• [$TBD][632622] High CVE-2016-5157: Heap overflow in PDFium. Credit to anonymous
• [$TBD][628890] High CVE-2016-5158: Heap overflow in PDFium. Credit to GiWan Go of Stealien
• [$TBD][628304] High CVE-2016-5159: Heap overflow in PDFium. Credit to GiWan Go of Stealien
• [$n/a][622420] Medium CVE-2016-5161: Type confusion in Blink. Credit to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro’s Zero Day Initiative
• [$n/a][589237] Medium CVE-2016-5162: Extensions web accessible resources bypass. Credit to Nicolas Golubovic
• [$3000][609680] Medium CVE-2016-5163: Address bar spoofing. Credit to Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)
• [$2000][637594] Medium CVE-2016-5164: Universal XSS using DevTools. Credit to anonymous
• [$1000][618037] Medium CVE-2016-5165: Script injection in DevTools. Credit to Gregory Panakkal
• [$TBD][616429] Medium CVE-2016-5166: SMB Relay Attack via Save Page As. Credit to Gregory Panakkal
• [$500][576867] Low CVE-2016-5160: Extensions web accessible resources bypass. Credit to @l33terally, FogMarks.com (@FogMarks)
• [642598] CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives.

If you add all those up, you’ll see Google spent a whopping $56,500 in bug bounties this time around — and that number is lowballed, given all the rewards that have yet to be decided. As always, the security fixes alone should be enough incentive for you to upgrade.

Chrome 53 for Android and iOS are also on their way, but Google has not shared exactly when they will ship. Chrome 54 will arrive in October.